How To Set Up Two Factor Authentication (2FA)
How To Set Up Two Factor Authentication (2FA)
We have talked about Two Factor Authentication (2FA) in many of our blogs and, honestly, won’t tire of advocating it. In this blog post, we will walk you through a step-by-step process for setting up 2FA in G Suite. If you are already familiar with 2FA, you can skip the intro section and scroll directly to the instructions for setting up 2FA.
What Is 2FA?
Two-factor authentication (2FA) is a type of multi-factor authentication, in which the factor stands for a method to verify your identity. In 2FA, your username/password pair is the first authentication factor, and an OTP (one-time-password) sent to your mobile device as an SMS can be the second factor.
The most commonly used authentication factor is the username/password pair. However, this authentication method is increasingly becoming more and more vulnerable because passwords have become increasingly less secure either through data breaches or through poor password hygiene. By using a combination of authentication factors, you can easily add an additional layer of security, which makes it much more difficult for hackers to gain access to your accounts.
How Does 2FA Work?
2FA, which is sometimes also called two-step authentication is a means of confirming a user’s identity. As the name suggests, it has two steps. The first step requires the user to confirm their claimed identity using something that they know, i.e. their password. The second step requires them to prove their identity using something other than what they know, i.e. using something that they have or something that they are.
A password is a memory or knowledge-based authentication factor. From this perspective, secret questions also fall in the knowledge-based category, therefore fall in the same factor category. Genuine 2FA requires two separate authentication factors- your password, i.e. knowledge-based factor and a second factor, such as:
Something you have - mobile device or a thumb-drive
Something you are - facial recognition or bio-metrics
Somewhere you are - geographic location or network
Only when the user is able to supply both the factors do they get access to their accounts. As you can see, if a hacker wants to gain access to your account, they will have to supply both the factors, which is exponentially harder for them to acquire.
Examples Of 2FA
Here are some examples of 2FA, used in conjunction with your username/password pair:
Physical security keys, which can connect to your computer via USB or Bluetooth.
Small physical devices, which display periodically changing random numbers.
Biometrics such as a thumbprint or retina scan
Applications such as Google Authenticator which display time-based One-Time Passwords.
Why Should You Use 2FA?
The foremost reason why you must use 2FA is that passwords are becoming less secure. We touched upon this briefly in a previous section but let’s take a closer look at it.
According to Verizon’s 2020 Data Breach Investigations Report, over 80% of hacking-related breaches involved brute force or the use of lost or stolen credentials. If you browse cybersecurity news, you know that data breaches are becoming increasingly common. Millions of email/password pairs are put up for sale on the internet rather regularly. Another worrying characteristic of passwords is that users tend to reuse them. And it’s only a matter of time before the hacker plugs in your stolen credentials into the right website to gain access to your account.
Secondly, as we mentioned earlier, knowledge-based security questions don’t provide much security. Security questions such as "In which city were you born?" or "What's your mother's maiden name?" are weak because a lot of your personal information is readily available on social media. In addition, such information can also be acquired through social engineering.
Most cyber-attacks your accounts face will be part of large-scale campaigns. If you have additional security such as 2FA enabled, the cybercriminals will simply move on to more vulnerable accounts. In most cases, you just need to stay ahead of the crowd. 2FA provides you with such a layer of security that most cybercriminals won’t even try to hack into your account.
Here’s a step-by-step guide for setting up 2FA on your G Suite using your admin account:
1) Log in to G Suite admin portal
2) Select the Security tab (Shield icon)
Scroll down to 2-Step Verification
On the left-hand side “Organizational Unit”
Select the Main organization (or if there are specific orgs that you want to create or need excluding, select a specific org and continue)
If you need to create a non 2FA org please refer to the “Service Accounts” section below.
3) On the right-hand side you will have multiple options, configure them as follows:
Authentication:
Allow users to turn on 2-Step Verification: Checked
New user enrollment period:
Can be anything from 1 day to 6 month
The recommended period is 1 week to 3 Months
Frequency:
Allow users to trust the device: This option will help with 2FA prompting every time a user logs in. (This is optional and should be set as per your company’s security needs)
Methods:
Any: This option is simple to implement but less secure since text and calls are more susceptible to compromise.
Any except verification code via text, phone call: This is limited to authenticator app, google push notification, and a hardware token, which makes it very secure.
Only Security Key: This provides the highest security as it only allows use of hardware token.
4) Save after selecting your configuration options.
To check user enrollment progress see “Monitoring 2FA Enrollment” section below.
Service Accounts
Follow these steps if there are any accounts that you don’t want to have 2FA enforced. This is useful for any shared/service accounts you don’t want to be enrolled in 2FA.
1) Log in to G Suite dashboard G Suite admin portal
2) On the home page select Organizational unit
3) If you already have an organization created for these kinds of accounts skip down to step below.
4) Once in Organizational units, select the yellow + on the left-hand side
5) In the popup box, you will be given a few options
Name of organizational unit: “Shared accounts, No drive, etc.”
Description: quick explanation so any other admin can easily verify what this org is used for.
Parent organization unit: You can keep this same as the current value
Click Create
6) Once this is done, assign those specific accounts to this new Organizational unit.
Monitoring 2FA enrollment
1) Log in to G Suite dashboard G Suite admin portal
2) On the home page select “Reports”
3) Under Reports drop-down
Select User reports > Security
This will give you a holistic view of all users security
4) From here use the search bar
Filter search for 2-step Verification enrollment and select this option.
Apply the setting for “Not enrolled”
Now you will be given a list of accounts that do not currently have 2FA enrolled but should have 2FA enforced.
5) From this list, you can monitor all users enrolled in 2FA and make any follow up emails to get 100% enrollment.
Alternatively, the reports can also be accessed directly using this link: https://admin.google.com/u/1/ac/reporting/report/user/security
Conclusion
We like 2FA because it provides excellent security even though it is relatively easy to implement. In addition, if you choose the right factor, it isn’t burdensome for the end-users, which means there won’t be much resistance to its adoption.
Now that you have added a layer of security to your account access process, you might want to look into improving your security posture at other fronts. Get in touch with our IT Security experts to figure out how you can make your business more secure.
If you liked the blog, please share it with your friends